I generally feel underwhelmed when I hear some report of how easy it is to hack almost anything, such as traffic lights, cars, trains, or airplanes. Like most of the digital world, they were not designed by people with a strong understanding of malicious hacking.
With that basic assumption in mind, IOActive decided to assess the vulnerability of communication satellites. In a nutshell, here's what it found:
... malicious actors could abuse all of the devices ... The vulnerabilities included what would appear to be backdoors, hard-coded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. In addition to design flaws, IOActive also uncovered a number of features in the devices that clearly pose security risks.
[ Also from Roger Grimes: The right way to secure the Internet of things | Learn how to safeguard your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]
That about says it all. Anyone shocked?
You may think it's not terribly disastrous that regular, civilian satellites can be hacked. But certainly, military satellite communications in war zones have a higher level of computer security? Not necessarily.
IOActive began its project by downloading publicly available satellite device firmware updates, then reverse-engineering and analyzing. The systems they analyzed are involved in (and/or suitable for) maritime operations, personal communications, SCADA, voice, data, aeronautics, and military uses. Many of the devices appeared to use little or no security or security by obscurity. IOActive's report has a table listing the vendors and products it tested, along with the vulnerabilities found.
As a good player, IOActive isn't publicly releasing details of the vulnerabilities. Instead, it's working with both CERT and the related satellite vendors to accelerate development of fixes. But if the exploits are as ingrained and easy to find as IOActive hints, it won't take a rocket scientist/hacker to find the exploits.
Yes, that probably means that most governments (and the NSA -- we always include the NSA now) have known about and indeed abused these same vulnerabilities. The only remaining question: What badness could malicious parties cause with the vulnerabilities and in what scenarios? IOActive's report speculates that attackers could disable or alter satellite systems to send false telemetry to ships or aircraft, for example.
Fixing satellite issues won't be easy or fast. First, the report covers a very small sampling of satellite vendors. Most will probably have vulnerabilities that are easy to find. Most will likely have huge design flaws that will not be easy to fix, and that's if you can convince the vendors it needs to be fixed. Why should they fix what no one has complained about before or fix something no one has hacked before?
My best guess is that most of these vulnerabilities will remain. I bet many vendors will introduce new products that contain these same vulnerabilities, often using the same code that IOActive examined and reported. It will be interesting to learn from IOActive a year from now to determine which, if any, vulnerabilities were actually addressed.
If you think I'm satirizing vendor responses to newly discovered vulnerabilities in their products, then you haven't conducted penetration testing for a living. At least half of the vendors I've reported vulnerabilities to either don't respond to my repeated communication attempts or simply do nothing for a long time. It's the rare vendor -- outside the computer world, anyway -- that responds to new threats and takes action.
A part of the bigger problem, as is the issue with the OpenSSL Heartbleed vulnerability, is that many (if not most) satellite devices lack auto-updating mechanisms and are likely to remain vulnerable in perpetuity, even if a vendor releases updated firmware. That's part of the problem with any found security bug. Without any auto-updating feature built-in and enabled, many of the users will not know they need to update or how to do it.
We should require that all new digital devices auto-update at periodic intervals when feasible. This should be a top priority for any new device. Otherwise we'll continue to find devices containing huge security vulnerabilities that are never fixed. Attackers love those sorts of scenarios.
This story, "The sky is falling! Hackers target satellites," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.